I'm getting a "dereference of null pointer" warning from the Clang static analyzer (checker-270 on MacOS) that I don't understand. A simplified example is:
I haven't received any response yet, so I figured I'd try cfe-dev.
Michael
I haven't received any response yet, so I figured I'd try cfe-dev.
Michael
From: "Morrell, Michael" <michael.morrell@intel.com<mailto:michael.morrell@intel.com>>
Subject: [cfe-users] Questionable dereference of null pointer warning
Date: January 31, 2013 11:09:38 AM PST
To: "cfe-users@cs.uiuc.edu<mailto:cfe-users@cs.uiuc.edu>" <cfe-users@cs.uiuc.edu<mailto:cfe-users@cs.uiuc.edu>>I'm getting a "dereference of null pointer" warning from the Clang static analyzer (checker-270 on MacOS) that I don't understand. A simplified example is:
=========================
void set_x1(int *&);
void set_x2(void *&);int foo(void)
{
int *x = 0, *y = 0;set_x1(x);
set_x2((void *&)y);
return *x + *y;
}When I run "scan-build c++ -c" on this file, it complains about the dereference of y, but not x. Should there be a difference between these two cases?
This is a false positive. There should be no bug reported. Please, file a bug report.
On a related note, it appears that the analyzer assumes that a function like set_x1 will always set the argument to a non-NULL value (presumably unless it can see the source and know otherwise). Is that the best assumption and are such assumptions made by the analyzer documented anywhere?
That is correct. The analyzer does assume that the value of the pointer can be anything after a call to 'set_x2', unless it can see inside 'set_x2'. The analyzer currently only preforms inter-procedural analyzes within a single translation unit (source file + headers). The idea is to be conservative and report as few false positives as possible. We do not have a document describing what the reasoning is in each case.